Energy's deal with Oracle applies new security benchmark

'We did not pay extra on our license,' Energy's Karen Evans says, adding the cost to Oracle will be offset by the savings from consolidating DOE's licenses.

J. Adam Fenster

The Energy Department has struck a deal with Oracle Corp. under an enterprise license agreement that requires the database vendor to configure its software to meet new security benchmarks.

Although software vendors have cooperated in developing configuration benchmarks, they typically have not shipped their products with those default settings because user requirements vary. The DOE deal is an example of a large government customer using its purchasing power to require more security out of the box.

'We have a large installed Oracle base within the department,' Energy CIO Karen Evans said at a press briefing last week. 'We leveraged our business requirements' when negotiating to consolidate Energy's Oracle licenses under a single contract.

Oracle also will test any security patches released to Energy for its software against the benchmarks to ensure they do not interfere with the secure settings.

The security benchmarks were announced at the same briefing by the Center for Internet Security, a nonprofit industry group in Hershey, Pa.

The 50-page benchmark document represents a consensus of government and commercial users on how Oracle8i and Oracle9i should be configured to achieve a basic level of security. It applies to software running under both Microsoft Windows and Unix.

The benchmarks, available at www.cisecurity.org, join a growing number of configuration benchmarks for software, including those for Windows NT, Win 2000 and Linux, and communication software for routers from Cisco Systems Inc. of San Jose, Calif.

The task force that compiled the benchmarks was a varied group, including government agencies such as Energy, the Defense Department and the National Security Agency, and companies such as Campbell Soup and Visa.

The Center for Internet Security also is developing a free automated tool to analyze a user's Oracle configuration and rate it against the benchmark settings.

To ensure that only current copies of tools and benchmarks are circulated, the CIS user agreements for these items prohibit redistribution. But CIS president Clint Kreitner said that to encourage government use of these tools, agencies will be allowed to distribute them internally.

Federal users will be able to access both the Oracle benchmarks and evaluation tool from the Web site of the Federal Computer Incident Response Center, at www.fedcirc.gov.

Sallie McDonald, acting director for outreach and awareness in the Homeland Security Department's National Cyber Security Division, said the Oracle agreement is an important step toward ensuring that the government's software is safe when it comes out of the box.

Less regulation

McDonald said the deal conforms with the National Strategy to Secure Cyberspace, which emphasizes public-private partnerships rather than government regulation. She said the deal is an example of 'putting your money where your mouth is.'

It did not require a lot of money, Evans said. The added services from Oracle were negotiated into the basic cost of the contract.

'We did not pay extra on our license,' she said. She said the cost to Oracle will be offset by the savings from centralizing management of Energy's licenses under a single deal. 'That generates efficiencies on their end.'

Besides custom configuration and patch services, Energy also will have access to internal Oracle information on software vulnerabilities being tracked by the company.

Energy also will use configuration management software from OpsWare Inc. of Sunnyvale, Calif., to ensure standard configurations of operating systems and databases when Energy offices download Oracle software for installation.

Evans, who has been named to take over as the Office of Management and Budget's director of e-government and IT, said she would like to expand the Oracle agreement across government under the General Services Administration's SmartBuy program. So far, GSA has not set any governmentwide licenses for the new program.

About the Author

William Jackson is freelance writer and the author of the CyberEye blog.